A new dawn for payment security

Travel managers, and the service providers who assist them, are having to cope with unprecedented upheaval right now, so what follows is probably unwelcome news.

Over the next 18 months many companies throughout Europe (including the UK) will have to change the way they pay for travel if they use plastic corporate cards for pre-trip purchases.

The new rules are connected with Strong Customer Authentication, a tightening of identity verification protocol for making online payments. SCA was originally scheduled to become mandatory in September 2019. That was pushed back because, says Jeremy Dyball, commercial head of travel payments for Amadeus, “issuers weren’tready and it would have killed too manytransactions.”

The new deadlines are 31 December 2020 in the European Union and 14 September 2021 in the UK.

Intended to reduce fraud, SCA will mean that typing in a card number, expiry date and three-digit security number will no longer be accepted as sufficient verification for online purchases. Additional authentication will be required – the most familiar at present being entering a one-time password (OTP) sent to the cardholder’s mobile phone. AirPlus International introduced this measure for its corporate cards on the original September 2019 deadline.

SCA brings the curtain down on some time-honoured but woefully risky business travel payment practices where the holder of a plastic card isn’t available to authenticate.

“Some companies may no longer be able to use shared cards, such as those held by an administrator on behalf of a team or department,” says Clive Cornelius, head of travel for Visa’s Business Solutions Europe division.

“I can’t give my corporate card to my secretary anymore and ask them to buy stuff online,” says Maria Parpou,chief product & commercial officer for commercial payments at Barclaycard. “That message has landed. Corporate cards are increasingly being used only for expenses on the road.”

Also likely to go the way of the dodo is travel management companies using a client traveller’s plastic card number stored in their system to pay for bookings the TMC makes on public websites.

“In some cases, such as using a visa service, the TMC may have to pay for it up-front and invoice the client,” warns AirPlus UK managing director Paul Spelman.

Happily, several kinds of exemption potentially leave many forms of corporate travel payment unchanged by SCA. Most importantly by far, lodge cards (centrally billed accounts) and virtual cards are not affected – a huge relief for the travel industry given that applying SCA to payment processes not associated with an individual payer would have been logistically close to impossible.

“The basis for the exemption is that historically fraud rates are very low,” Spelman explains. “We now have to report on that. To retain the exemption, the fraud rate must not exceed 0.01 per cent, which is only £100 for every £1 million spent. But these products historically have been below that.

Fraud rates are especially low on virtual cards because controls can be applied to where each card can be used, when and for what. To keep fraud super-low, “we now insist these controls are used,” says Spelman.

Card payments are also exempted if they are whitelisted. This is a list that cardholders can create of trusted beneficiaries (named payees) for which they confirm SCA is not needed.

And there is also an exemption for any payments, including with plastic cards, for transactions made through a “secure corporate environment.” This could, in theory, include business travellers booking through an online booking tool, or TMCs booking on a traveller’s behalf through a global distribution system (as opposed to through a public website).

Sounds great, but… 
All these exemptions sound very helpful. Unfortunately, says Francesco Cerlienco, EMEA head of product for Citi Commercial Cards, three major unresolved complications could yet throw a huge spanner into the smooth workings of corporate travel payments.

The first challenge applies to situations where no exemptions apply and therefore SCA is required. The basis of SCA is that two kinds of authentication must be used from something you know (such as an OTP), something you possess (such as a card) and something you are (biometric ID).

It was originally understood that a 16-digit plastic card number would count as something you possess but last year the European Banking Authority ruled this out. “A text message delivering an OTP has to become the possession factor, which means we need another factor,” says Cerlienco.

Solutions that issuers are looking at include asking cardholders to input two digits from their card PIN or using fingerprint recognition. Both have their downsides: cardholders can forget PINs and not all cardholders have smartphones, or are necessarily prepared to use them for work purposes, especially in countries such as Germany and France where workers’ councils or unions are powerful.

The next problem is the whitelisting exemption. Card schemes are introducing different processes, leading to inconsistencies. Perhaps even more seriously, says Cerlienco, “there is no database of clean merchant names.”

For example, the same airline might use one business entity to charge clients for a flight to Brussels and a different one for a flight to New York. Perhaps the biggest uncertainty of all is over flagging. As discussed, there is a secure corporate process exemption for online booking tool reservations or TMC bookings that flow through a GDS.

That’s just as well, because payment for those bookings is often not processed at point of sale but hours later – often the next day. “There’s no way you can do SCA in those circumstances,” says Cerlienco.

Therefore a “flag” has to be produced within the reservation and payment process to alert the card issuer that the transaction has taken place within a secure environment and qualifies for exemption.

Two challenges arise. The first, says Cerlienco, is that “Visa and Mastercard have developed flags but other stakeholders in the process are in different states of readiness. The travel industry is moving very slowly, especially the traditional airlines.”

The other difficulty is that applying the exemption is at the discretion of the issuer. “We will be honouring those flags but other issuers are taking the view that a flag is not enough because they are not in control of the situation.”

Parpou agrees flagging is an unresolved issue. “We will accept it but there’s some ambiguity about whether it’s acceptable within the regulations,” she says. “As a card issuer I have no means to check the flags. We will monitor this closely.”

This profusion of complexities explains why, according to AirPlus’s Spelman, “we will really push our customers to use plastic just for on-trip expenditure, which also helps keep their credit levels down.”

Sticking to lodge or virtual cards is the only sure-fire way to avoid getting entangled in the uncertainties of SCA.

Will they ever understand? 
At the same time, the card and travel industries believe regulators have still not grasped the complexities of travel payments. Although the battle for travel industry exemptions is over on a pan-European level, efforts continue on a national basis.

The association UK Banking, for example, has formed a hospitality and travel group to engage with the Financial Conduct Authority on the implementation of SCA in the UK. And don’t rule out a further delay to SCA in its entirety given the distraction of more momentous global events beyond the world of e-commerce payments.

This has already happened in the UK, where the FCA has allowed an extra six months because of coronavirus, and payment companies are pushing hard for another postponement in the EU.

“Only about 30 per cent of merchants are ready for SCA and coronavirus won’t help with this,” says Parpou. “Maybe legislators will say it’s not the right time to create further friction within the process.”